Participants
Andres Freund
Andres Freund
Kirill Reshke
Kirill Reshke
Attachments
Download Latest Patchset
+4-4
Show all attachments
Thread Outline
#1Andres FreundAndres Freund
Jan 15, 15:38
#2Kirill ReshkeKirill Reshketo Andres Freund (#1)
Jan 15, 18:53

io_uring: Fix danger of completion getting reused before being read

Started by Andres Freund3 months ago2 messageshackers
Jump to latest
#1Andres Freund
Andres Freund
andres@anarazel.de

Hi,

I privately got a report about a bug in method_io_uring.c:

We are calling io_uring_cqe_seen(..., cqe) before reading cqe->res. That
allows the completion to be reused, which in turn could lead to cqe->res being
overwritten. The window for that is very narrow and the likelihood of it
happening is very low, as we should never actually utilize all CQEs, but the
consequences would be bad.

I plan to push the fix soon-ish.

Greetings,

Andres Freund

Attachments:

v1-0001-aio-io_uring-Fix-danger-of-completion-getting-reu.patchtext/x-diff; charset=us-asciiDownload+4-4
#2Kirill Reshke
Kirill Reshke
reshkekirill@gmail.com
In reply to: Andres Freund (#1)
Re: io_uring: Fix danger of completion getting reused before being read

On Thu, 15 Jan 2026 at 20:38, Andres Freund <andres@anarazel.de> wrote:

Hi,

I privately got a report about a bug in method_io_uring.c:

We are calling io_uring_cqe_seen(..., cqe) before reading cqe->res. That
allows the completion to be reused, which in turn could lead to cqe->res being
overwritten. The window for that is very narrow and the likelihood of it
happening is very low, as we should never actually utilize all CQEs, but the
consequences would be bad.

I plan to push the fix soon-ish.

Greetings,

Andres Freund

I see this is already committed as 807764990. Just pointing in case
somebody wants to review.

--
Best regards,
Kirill Reshke

← Back to Topics